Analysis De-Obfuscate Malicious Exploit PDF File

Client exploitation with PDF file continuing be one of the famous client attack vector. This happen especially when targeting Zero-Day Adobe 9.13 version.

Below is the screenshot when JavaScript viewable after unpacked using self-build tool.

The whole JavaScript content were copied and paste in Malzilla Decoder to De-obfuscate the

Javascript. However, the JavaScript were protected with another second layer encryption. To determine final intent of the shellcode, I have to remove another obfuscation layer that attempts to evade from detection.

Occurrence of the substring "\" replace with "%" can convert the string back into readable binary.

Finally the code converted to readable mode. However, seem there still have some shellcode downloading malware after exploit unpatched Adobe.

The final layer De-obfuscated using "UCS" method to reveal the malicious download link.

The exploit PDF file gain poor detection rate after submitted to Virustotal. Only 4/41 detection available for this PDF file.

Malicious link "domensm.cn" (59.125.231.252)

Hostname sharing same IP address:

awamujirapa.com

crash-cxim.cn

cxim-way.cn

domenpoxuj.cn

domensm.cn

google-update-checker.cn

idkfa.cn

kenstwistedminde.com

kloumixooon.cn

mail.adobe-updating-service.cn

mail.awamujirapa.com

mail.cxim-way.cn

mail.cximnik.cn

mail.domenpoxuj.cn

mail.eg4110.com

mail.idkfa.cn

mail.kloumixooon.cn

mail.olokedu.com

mail.sashahost.cn

mail.usrvnu.ru

mail.usrvzi.ru

mail.wesssrett.cn

mail.xewyny.ru

muzzon837.cn

mydearmishima.com

myspeedstrip.com

ns1.eg4110.com

ns2.eg4110.com

ola-la.cn

olokedu.com

peezero.net

pi-samba.com

pumigamez.com

sashahost.cn

seekasonghere.com

shkens.net

theslytube.com

tubepornsearchonline.com

usrvzi.ru

wesssrett.cn

www.adwarcontrol.cn

www.idkfa.cn

www.kloumixooon.cn

www.mydearmishima.com

www.shkens.net

www.tubepornsearchonline.com

www.usrvzi.ru

xewyny.ru